Merge remote-tracking branch 'origin/master'

Former-commit-id: 5eb272a53b94c6346b7c43ee5f0acd45c2e2911c
2026-03-24 01:51:49 +01:00 · 2014-11-16 12:53:37 -06:00
parent 1b2cd354db f333ef76d9
commit 735fcfeee2
28 changed files with 368 additions and 96 deletions
--- a/dependency-check-ant/pom.xml
+++ b/dependency-check-ant/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2013 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.6-SNAPSHOT</version>
+        <version>1.2.6</version>
    </parent>
    <artifactId>dependency-check-ant</artifactId>
--- a/dependency-check-cli/pom.xml
+++ b/dependency-check-cli/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.6-SNAPSHOT</version>
+        <version>1.2.6</version>
    </parent>
    <artifactId>dependency-check-cli</artifactId>
@@ -286,12 +286,12 @@ Copyright (c) 2012 - Jeremy Long. All Rights Reserved.
            <plugin>
                <groupId>org.codehaus.mojo</groupId>
                <artifactId>appassembler-maven-plugin</artifactId>
-                <version>1.7</version>
+                <version>1.8.1</version>
                <configuration>
                    <programs>
                        <program>
                            <mainClass>org.owasp.dependencycheck.App</mainClass>
-                            <name>dependency-check</name>
+                            <id>dependency-check</id>
                        </program>
                    </programs>
                    <assembleDirectory>${project.build.directory}/release</assembleDirectory>
--- a/dependency-check-cli/src/main/assembly/release.xml
+++ b/dependency-check-cli/src/main/assembly/release.xml
@@ -2,10 +2,8 @@
 <assembly
    xmlns="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2"
    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
-    xsi:schemaLocation="
+    xsi:schemaLocation="http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
-    http://maven.apache.org/plugins/maven-assembly-plugin/assembly/1.1.2
+      http://maven.apache.org/xsd/assembly-1.1.2.xsd"
      http://maven.apache.org/xsd/assembly-1.1.2.xsd
  "
 >
    <id>release</id>
    <formats>
--- a/dependency-check-core/pom.xml
+++ b/dependency-check-core/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.6-SNAPSHOT</version>
+        <version>1.2.6</version>
    </parent>
    <artifactId>dependency-check-core</artifactId>
@@ -419,6 +419,12 @@ Copyright (c) 2012 Jeremy Long. All Rights Reserved.
            <version>4.3.1</version>
            <scope>test</scope>
        </dependency>
        <!--dependency>
            <groupId>org.jmockit</groupId>
            <artifactId>jmockit</artifactId>
            <version>1.12</version>
            <scope>test</scope>
        </dependency-->
        <dependency>
            <groupId>com.google.code.findbugs</groupId>
            <artifactId>annotations</artifactId>
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/AssemblyAnalyzer.java
@@ -120,9 +120,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
            // Try evacuating the error stream
            rdr = new BufferedReader(new InputStreamReader(proc.getErrorStream(), "UTF-8"));
            String line = null;
            // CheckStyle:VisibilityModifier OFF
            while (rdr.ready() && (line = rdr.readLine()) != null) {
                LOGGER.log(Level.WARNING, "analyzer.AssemblyAnalyzer.grokassembly.stderr", line);
            }
            // CheckStyle:VisibilityModifier ON
            int rc = 0;
            doc = builder.parse(proc.getInputStream());
@@ -233,9 +235,11 @@ public class AssemblyAnalyzer extends AbstractFileTypeAnalyzer {
            final Process p = pb.start();
            // Try evacuating the error stream
            rdr = new BufferedReader(new InputStreamReader(p.getErrorStream(), "UTF-8"));
            // CheckStyle:VisibilityModifier OFF
            while (rdr.ready() && rdr.readLine() != null) {
                // We expect this to complain
            }
            // CheckStyle:VisibilityModifier ON
            final Document doc = DocumentBuilderFactory.newInstance().newDocumentBuilder().parse(p.getInputStream());
            final XPath xpath = XPathFactory.newInstance().newXPath();
            final String error = xpath.evaluate("/assembly/error", doc);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/CentralAnalyzer.java
@@ -1,14 +1,22 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.analyzer;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.URL;
@@ -16,11 +24,23 @@ import java.util.List;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.central.CentralSearch;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.dependency.Confidence;
 import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 /**
- * Created by colezlaw on 10/9/14.
+ * Analyzer which will attempt to locate a dependency, and the GAV information, by querying Central for the dependency's
 * SHA-1 digest.
 *
 * @author colezlaw
 */
 public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The logger.
     */
@@ -42,16 +62,21 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
    private static final Set<String> SUPPORTED_EXTENSIONS = newHashSet("jar");
    /**
-     * The analyzer should be disabled if there are errors, so this is a flag
+     * The analyzer should be disabled if there are errors, so this is a flag to determine if such an error has
-     * to determine if such an error has occurred.
+     * occurred.
     */
-    protected boolean errorFlag = false;
+    private boolean errorFlag = false;
    /**
     * The searcher itself.
     */
    private CentralSearch searcher;
    /**
     * Field indicating if the analyzer is enabled.
     */
    private final boolean enabled = checkEnabled();
    /**
     * Determine whether to enable this analyzer or not.
     *
@@ -59,6 +84,15 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
     */
    @Override
    public boolean isEnabled() {
        return enabled;
    }
    /**
     * Determines if this analyzer is enabled.
     *
     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
     */
    private boolean checkEnabled() {
        boolean retval = false;
        try {
@@ -68,7 +102,7 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
                    LOGGER.info("Enabling the Central analyzer");
                    retval = true;
                } else {
-                    LOGGER.info("Nexus analyzer is enabled, disabling Central");
+                    LOGGER.info("Nexus analyzer is enabled, disabling the Central Analyzer");
                }
            } else {
                LOGGER.info("Central analyzer disabled");
@@ -76,14 +110,13 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
        } catch (InvalidSettingException ise) {
            LOGGER.warning("Invalid setting. Disabling the Central analyzer");
        }
        return retval;
    }
    /**
     * Initializes the analyzer once before any analysis is performed.
     *
-     * @throws Exception if there's an error during initalization
+     * @throws Exception if there's an error during initialization
     */
    @Override
    public void initializeFileTypeAnalyzer() throws Exception {
@@ -106,7 +139,8 @@ public class CentralAnalyzer extends AbstractFileTypeAnalyzer {
        return ANALYZER_NAME;
    }
-    /** Returns the key used in the properties file to to reference the analyzer's enabled property.
+    /**
     * Returns the key used in the properties file to to reference the analyzer's enabled property.
     *
     * @return the analyzer's enabled property setting key.
     */
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/analyzer/NexusAnalyzer.java
@@ -24,7 +24,6 @@ import java.net.URL;
 import java.util.Set;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import org.owasp.dependencycheck.Engine;
 import org.owasp.dependencycheck.analyzer.exception.AnalysisException;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
@@ -34,8 +33,6 @@ import org.owasp.dependencycheck.dependency.Dependency;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 /**
 * Analyzer which will attempt to locate a dependency on a Nexus service by SHA-1 digest of the dependency.
 *
@@ -51,6 +48,7 @@ import javax.xml.bind.annotation.adapters.XmlJavaTypeAdapter;
 * @author colezlaw
 */
 public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
    /**
     * The default URL - this will be used by the CentralAnalyzer to determine whether to enable this.
     */
@@ -82,24 +80,28 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
    private NexusSearch searcher;
    /**
-     * Determine whether to enable this analyzer or not.
+     * Field indicating if the analyzer is enabled.
     *
     * @return whether the analyzer should be enabled
     */
-    @Override
+    private final boolean enabled = checkEnabled();
-    public boolean isEnabled() {
+
    /**
     * Determines if this analyzer is enabled
     *
     * @return <code>true</code> if the analyzer is enabled; otherwise <code>false</code>
     */
    private boolean checkEnabled() {
        /* Enable this analyzer ONLY if the Nexus URL has been set to something
         other than the default one (if it's the default one, we'll use the
         central one) and it's enabled by the user.
         */
        boolean retval = false;
        try {
-            if ((! DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
+            if ((!DEFAULT_URL.equals(Settings.getString(Settings.KEYS.ANALYZER_NEXUS_URL)))
                    && Settings.getBoolean(Settings.KEYS.ANALYZER_NEXUS_ENABLED)) {
                LOGGER.info("Enabling Nexus analyzer");
                retval = true;
            } else {
-                LOGGER.info("Nexus analyzer disabled");
+                LOGGER.info("Nexus analyzer disabled, using Central instead");
            }
        } catch (InvalidSettingException ise) {
            LOGGER.warning("Invalid setting. Disabling Nexus analyzer");
@@ -108,6 +110,16 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
        return retval;
    }
    /**
     * Determine whether to enable this analyzer or not.
     *
     * @return whether the analyzer should be enabled
     */
    @Override
    public boolean isEnabled() {
        return enabled;
    }
    /**
     * Initializes the analyzer once before any analysis is performed.
     *
@@ -184,7 +196,7 @@ public class NexusAnalyzer extends AbstractFileTypeAnalyzer {
     */
    @Override
    public void analyzeFileType(Dependency dependency, Engine engine) throws AnalysisException {
-        if (! isEnabled()) {
+        if (!isEnabled()) {
            return;
        }
        try {
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/CentralSearch.java
@@ -1,17 +1,22 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.data.central;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.InvalidSettingException;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.NodeList;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathFactory;
 import java.io.FileNotFoundException;
 import java.io.IOException;
 import java.net.HttpURLConnection;
@@ -19,6 +24,16 @@ import java.net.URL;
 import java.util.ArrayList;
 import java.util.List;
 import java.util.logging.Logger;
 import javax.xml.parsers.DocumentBuilder;
 import javax.xml.parsers.DocumentBuilderFactory;
 import javax.xml.xpath.XPath;
 import javax.xml.xpath.XPathConstants;
 import javax.xml.xpath.XPathFactory;
 import org.owasp.dependencycheck.data.nexus.MavenArtifact;
 import org.owasp.dependencycheck.utils.Settings;
 import org.owasp.dependencycheck.utils.URLConnectionFactory;
 import org.w3c.dom.Document;
 import org.w3c.dom.NodeList;
 /**
 * Class of methods to search Maven Central via Central.
@@ -26,6 +41,7 @@ import java.util.logging.Logger;
 * @author colezlaw
 */
 public class CentralSearch {
    /**
     * The URL for the Central service
     */
@@ -41,17 +57,11 @@ public class CentralSearch {
     */
    private static final Logger LOGGER = Logger.getLogger(CentralSearch.class.getName());
    /**
     * Determines whether we'll continue using the analyzer. If there's some sort
     * of HTTP failure, we'll disable the analyzer.
     */
    private boolean isEnabled = true;
    /**
     * Creates a NexusSearch for the given repository URL.
     *
-     * @param rootURL the URL of the repository on which searches should execute.
+     * @param rootURL the URL of the repository on which searches should execute. Only parameters are added to this (so
-     *                Only parameters are added to this (so it should end in /select)
+     * it should end in /select)
     */
    public CentralSearch(URL rootURL) {
        this.rootURL = rootURL;
@@ -70,8 +80,8 @@ public class CentralSearch {
     *
     * @param sha1 the SHA-1 hash string for which to search
     * @return the populated Maven GAV.
-     * @throws IOException if it's unable to connect to the specified repository or if
+     * @throws IOException if it's unable to connect to the specified repository or if the specified artifact is not
-     *         the specified artifact is not found.
+     * found.
     */
    public List<MavenArtifact> searchSha1(String sha1) throws IOException {
        if (null == sha1 || !sha1.matches("^[0-9A-Fa-f]{40}$")) {
@@ -80,7 +90,7 @@ public class CentralSearch {
        final URL url = new URL(rootURL + String.format("?q=1:\"%s\"&wt=xml", sha1));
-        LOGGER.info(String.format("Searching Central url %s", url.toString()));
+        LOGGER.fine(String.format("Searching Central url %s", url.toString()));
        // Determine if we need to use a proxy. The rules:
        // 1) If the proxy is set, AND the setting is set to true, use the proxy
@@ -106,8 +116,8 @@ public class CentralSearch {
                if ("0".equals(numFound)) {
                    missing = true;
                } else {
-                    ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
+                    final ArrayList<MavenArtifact> result = new ArrayList<MavenArtifact>();
-                    NodeList docs = (NodeList)xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
+                    final NodeList docs = (NodeList) xpath.evaluate("/response/result/doc", doc, XPathConstants.NODESET);
                    for (int i = 0; i < docs.getLength(); i++) {
                        final String g = xpath.evaluate("./str[@name='g']", docs.item(i));
                        LOGGER.finest(String.format("GroupId: %s", g));
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/central/package-info.java
@@ -0,0 +1,14 @@
 /**
 * <html>
 * <head>
 * <title>org.owasp.dependencycheck.data.central</title>
 * </head>
 * <body>
 * <p>
 * Contains classes related to searching Maven Central.</p>
 * <p>
 * These are used to abstract Maven Central searching away from OWASP Dependency Check so they can be reused elsewhere.</p>
 * </body>
 * </html>
 */
 package org.owasp.dependencycheck.data.central;
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/cpe/CpeMemoryIndex.java
@@ -54,6 +54,7 @@ import org.owasp.dependencycheck.utils.Pair;
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public final class CpeMemoryIndex {
    /**
     * The logger.
     */
@@ -160,7 +161,7 @@ public final class CpeMemoryIndex {
     */
    @SuppressWarnings("unchecked")
    private Analyzer createSearchingAnalyzer() {
-        final Map fieldAnalyzers = new HashMap();
+        final Map<String, Analyzer> fieldAnalyzers = new HashMap<String, Analyzer>();
        fieldAnalyzers.put(Fields.DOCUMENT_KEY, new KeywordAnalyzer());
        productSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
        vendorSearchFieldAnalyzer = new SearchFieldAnalyzer(LuceneUtils.CURRENT_VERSION);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/CveDB.java
@@ -306,14 +306,14 @@ public class CveDB {
     * @throws DatabaseException thrown when there is an error retrieving the data from the DB
     */
    public Set<Pair<String, String>> getVendorProductList() throws DatabaseException {
-        final HashSet data = new HashSet<Pair<String, String>>();
+        final Set<Pair<String, String>> data = new HashSet<Pair<String, String>>();
        ResultSet rs = null;
        PreparedStatement ps = null;
        try {
            ps = getConnection().prepareStatement(SELECT_VENDOR_PRODUCT_LIST);
            rs = ps.executeQuery();
            while (rs.next()) {
-                data.add(new Pair(rs.getString(1), rs.getString(2)));
+                data.add(new Pair<String, String>(rs.getString(1), rs.getString(2)));
            }
        } catch (SQLException ex) {
            final String msg = "An unexpected SQL Exception occurred; please see the verbose log for more details.";
@@ -731,7 +731,7 @@ public class CveDB {
     * @param previous a flag indicating if previous versions of the product are vulnerable
     * @return true if the identified version is affected, otherwise false
     */
-    private boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
+    protected boolean isAffected(String vendor, String product, DependencyVersion identifiedVersion, String cpeId, String previous) {
        boolean affected = false;
        final boolean isStruts = "apache".equals(vendor) && "struts".equals(product);
        final DependencyVersion v = parseDependencyVersion(cpeId);
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/nvdcve/DatabaseProperties.java
@@ -142,8 +142,8 @@ public class DatabaseProperties {
     *
     * @return a map of the database meta data
     */
-    public Map getMetaData() {
+    public Map<String, String> getMetaData() {
-        final TreeMap map = new TreeMap();
+        final TreeMap<String, String> map = new TreeMap<String, String>();
        for (Entry<Object, Object> entry : properties.entrySet()) {
            final String key = (String) entry.getKey();
            if (!"version".equals(key)) {
@@ -156,10 +156,10 @@ public class DatabaseProperties {
                        map.put(key, formatted);
                    } catch (Throwable ex) { //deliberately being broad in this catch clause
                        LOGGER.log(Level.FINE, "Unable to parse timestamp from DB", ex);
-                        map.put(key, entry.getValue());
+                        map.put(key, (String) entry.getValue());
                    }
                } else {
-                    map.put(key, entry.getValue());
+                    map.put(key, (String) entry.getValue());
                }
            }
        }
--- a/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java
+++ b/dependency-check-core/src/main/java/org/owasp/dependencycheck/data/update/task/DownloadTask.java
@@ -18,6 +18,9 @@
 package org.owasp.dependencycheck.data.update.task;
 import java.io.File;
 import java.io.FileInputStream;
 import java.io.FileNotFoundException;
 import java.io.FileOutputStream;
 import java.io.IOException;
 import java.net.URL;
 import java.util.concurrent.Callable;
@@ -25,6 +28,8 @@ import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import java.util.logging.Level;
 import java.util.logging.Logger;
 import java.util.zip.GZIPInputStream;
 import org.apache.commons.io.FileUtils;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.data.update.exception.UpdateException;
@@ -195,10 +200,18 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
                LOGGER.log(Level.FINE, null, ex);
                return null;
            }
            if (url1.toExternalForm().endsWith(".xml.gz")) {
                extractGzip(first);
            }
            if (url2.toExternalForm().endsWith(".xml.gz")) {
                extractGzip(second);
            }
            msg = String.format("Download Complete for NVD CVE - %s", nvdCveInfo.getId());
            LOGGER.log(Level.INFO, msg);
-
+            if (this.processorService == null) {
                return null;
            }
            final ProcessTask task = new ProcessTask(cveDB, this, settings);
            return this.processorService.submit(task);
@@ -237,4 +250,48 @@ public class DownloadTask implements Callable<Future<ProcessTask>> {
            }
        }
    }
    /**
     * Extracts the file contained in a gzip archive. The extracted file is placed in the exact same path as the file
     * specified.
     *
     * @param file the archive file
     * @throws FileNotFoundException thrown if the file does not exist
     * @throws IOException thrown if there is an error extracting the file.
     */
    private void extractGzip(File file) throws FileNotFoundException, IOException {
        final String originalPath = file.getPath();
        File gzip = new File(originalPath + ".gz");
        if (gzip.isFile()) {
            gzip.delete();
        }
        if (!file.renameTo(gzip)) {
            throw new IOException("Unable to rename '" + file.getPath() + "'");
        }
        final File newfile = new File(originalPath);
        final byte[] buffer = new byte[4096];
        GZIPInputStream cin = null;
        FileOutputStream out = null;
        try {
            cin = new GZIPInputStream(new FileInputStream(gzip));
            out = new FileOutputStream(newfile);
            int len;
            while ((len = cin.read(buffer)) > 0) {
                out.write(buffer, 0, len);
            }
        } finally {
            if (cin != null) {
                cin.close();
            }
            if (out != null) {
                out.close();
            }
            if (gzip.isFile()) {
                FileUtils.deleteQuietly(gzip);
            }
        }
    }
 }
--- a/dependency-check-core/src/main/resources/dependencycheck.properties
+++ b/dependency-check-core/src/main/resources/dependencycheck.properties
@@ -40,11 +40,16 @@ data.driver_path=
 cve.url.modified.validfordays=7
 # the path to the modified nvd cve xml file.
-cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
+cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
+#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.startyear=2002
-cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
-cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+#cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 # file type analyzer settings:
 analyzer.archive.enabled=true
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/ArchiveAnalyzerIntegrationTest.java
@@ -40,7 +40,7 @@ public class ArchiveAnalyzerIntegrationTest extends AbstractDatabaseTestCase {
    @Test
    public void testGetSupportedExtensions() {
        ArchiveAnalyzer instance = new ArchiveAnalyzer();
-        Set expResult = new HashSet<String>();
+        Set<String> expResult = new HashSet<String>();
        expResult.add("zip");
        expResult.add("war");
        expResult.add("ear");
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JarAnalyzerTest.java
@@ -93,7 +93,7 @@ public class JarAnalyzerTest extends BaseTest {
    @Test
    public void testGetSupportedExtensions() {
        JarAnalyzer instance = new JarAnalyzer();
-        Set expResult = new HashSet();
+        Set<String> expResult = new HashSet<String>();
        expResult.add("jar");
        expResult.add("war");
        Set result = instance.getSupportedExtensions();
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/analyzer/JavaScriptAnalyzerTest.java
@@ -38,7 +38,7 @@ public class JavaScriptAnalyzerTest extends BaseTest {
    @Test
    public void testGetSupportedExtensions() {
        JavaScriptAnalyzer instance = new JavaScriptAnalyzer();
-        Set expResult = new HashSet<String>();
+        Set<String> expResult = new HashSet<String>();
        expResult.add("js");
        Set result = instance.getSupportedExtensions();
        assertEquals(expResult, result);
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/nvdcve/CveDBIntegrationTest.java
@@ -19,9 +19,11 @@ package org.owasp.dependencycheck.data.nvdcve;
 import java.util.List;
 import java.util.Set;
 import static org.junit.Assert.assertFalse;
 import static org.junit.Assert.assertTrue;
 import org.junit.Test;
 import org.owasp.dependencycheck.dependency.VulnerableSoftware;
 import org.owasp.dependencycheck.utils.DependencyVersion;
 /**
 *
@@ -72,4 +74,21 @@ public class CveDBIntegrationTest extends BaseDBTestCase {
            instance.close();
        }
    }
    /**
     * Test of isAffected method, of class CveDB.
     */
    @Test
    public void testIsAffected() throws Exception {
        String vendor = "openssl";
        String product = "openssl";
        DependencyVersion identifiedVersion = new DependencyVersion("1.0.1o");
        String cpeId = "cpe:/a:openssl:openssl:1.0.1e";
        String previous = "y";
        CveDB instance = new CveDB();
        assertFalse(instance.isAffected(vendor, product, identifiedVersion, cpeId, previous));
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/data/update/task/DownloadTaskTest.java
@@ -0,0 +1,75 @@
 /*
 * This file is part of dependency-check-core.
 *
 * Licensed under the Apache License, Version 2.0 (the "License");
 * you may not use this file except in compliance with the License.
 * You may obtain a copy of the License at
 *
 *     http://www.apache.org/licenses/LICENSE-2.0
 *
 * Unless required by applicable law or agreed to in writing, software
 * distributed under the License is distributed on an "AS IS" BASIS,
 * WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 * See the License for the specific language governing permissions and
 * limitations under the License.
 *
 * Copyright (c) 2014 Jeremy Long. All Rights Reserved.
 */
 package org.owasp.dependencycheck.data.update.task;
 import java.util.concurrent.ExecutorService;
 import java.util.concurrent.Future;
 import org.junit.After;
 import org.junit.AfterClass;
 import static org.junit.Assert.assertNull;
 import org.junit.Before;
 import org.junit.BeforeClass;
 import org.junit.Test;
 import org.owasp.dependencycheck.data.nvdcve.CveDB;
 import org.owasp.dependencycheck.data.update.NvdCveInfo;
 import org.owasp.dependencycheck.utils.Settings;
 /**
 *
 * @author Jeremy Long <jeremy.long@owasp.org>
 */
 public class DownloadTaskTest {
    public DownloadTaskTest() {
    }
    @BeforeClass
    public static void setUpClass() {
    }
    @AfterClass
    public static void tearDownClass() {
    }
    @Before
    public void setUp() {
        Settings.initialize();
    }
    @After
    public void tearDown() {
        Settings.cleanup();
    }
    /**
     * Test of call method, of class DownloadTask.
     */
    @Test
    public void testCall() throws Exception {
        NvdCveInfo cve = new NvdCveInfo();
        cve.setId("modified");
        cve.setNeedsUpdate(true);
        cve.setUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
        cve.setOldSchemaVersionUrl(Settings.getString(Settings.KEYS.CVE_MODIFIED_12_URL));
        ExecutorService processExecutor = null;
        CveDB cveDB = null;
        DownloadTask instance = new DownloadTask(cve, processExecutor, cveDB, Settings.getInstance());;
        Future<ProcessTask> result = instance.call();
        assertNull(result);
    }
 }
--- a/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
+++ b/dependency-check-core/src/test/java/org/owasp/dependencycheck/utils/DependencyVersionTest.java
@@ -165,6 +165,14 @@ public class DependencyVersionTest {
        version = new DependencyVersion("1.2.3.1");
        assertEquals(-1, instance.compareTo(version));
        instance = new DependencyVersion("1.0.1n");
        version = new DependencyVersion("1.0.1m");
        assertEquals(1, instance.compareTo(version));
        version = new DependencyVersion("1.0.1n");
        assertEquals(0, instance.compareTo(version));
        version = new DependencyVersion("1.0.1o");
        assertEquals(-1, instance.compareTo(version));
        DependencyVersion[] dv = new DependencyVersion[7];
        dv[0] = new DependencyVersion("2.1.3");
        dv[1] = new DependencyVersion("2.1.3.r2");
--- a/dependency-check-core/src/test/resources/dependencycheck.properties
+++ b/dependency-check-core/src/test/resources/dependencycheck.properties
@@ -47,11 +47,16 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di
 cve.url.modified.validfordays=7
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.startyear=2014
-cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
--- a/dependency-check-jenkins/pom.xml
+++ b/dependency-check-jenkins/pom.xml
@@ -3,7 +3,7 @@
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.6-SNAPSHOT</version>
+        <version>1.2.6</version>
    </parent>
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-jenkins</artifactId>
--- a/dependency-check-maven/pom.xml
+++ b/dependency-check-maven/pom.xml
@@ -22,7 +22,7 @@ Copyright (c) 2013 Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.6-SNAPSHOT</version>
+        <version>1.2.6</version>
    </parent>
    <artifactId>dependency-check-maven</artifactId>
--- a/dependency-check-utils/pom.xml
+++ b/dependency-check-utils/pom.xml
@@ -21,7 +21,7 @@ Copyright (c) 2014 - Jeremy Long. All Rights Reserved.
    <parent>
        <groupId>org.owasp</groupId>
        <artifactId>dependency-check-parent</artifactId>
-        <version>1.2.6-SNAPSHOT</version>
+        <version>1.2.6</version>
    </parent>
    <artifactId>dependency-check-utils</artifactId>
--- a/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java
+++ b/dependency-check-utils/src/test/java/org/owasp/dependencycheck/utils/DownloaderIntegrationTest.java
@@ -42,12 +42,12 @@ public class DownloaderIntegrationTest extends BaseTest {
        URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
        File outputPath = new File("target/downloaded_cve.xml");
        Downloader.fetchFile(url, outputPath);
-
+        assertTrue(outputPath.isFile());
    }
    @Test
    public void testGetLastModified() throws Exception {
-        URL url = new URL("http://nvd.nist.gov/download/nvdcve-2012.xml");
+        URL url = new URL(Settings.getString(Settings.KEYS.CVE_MODIFIED_20_URL));
        long timestamp = Downloader.getLastModified(url);
        assertTrue("timestamp equal to zero?", timestamp > 0);
    }
--- a/dependency-check-utils/src/test/resources/dependencycheck.properties
+++ b/dependency-check-utils/src/test/resources/dependencycheck.properties
@@ -45,11 +45,15 @@ cpe.meta.url=http://static.nvd.nist.gov/feeds/xml/cpe/dictionary/official-cpe-di
 cve.url.modified.validfordays=7
 # the path to the modified nvd cve xml file.
 cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.startyear=2014
-cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
+cve.url-1.2.modified=https://nvd.nist.gov/download/nvdcve-Modified.xml.gz
-cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
+#cve.url-1.2.modified=http://nvd.nist.gov/download/nvdcve-modified.xml
 cve.url-2.0.modified=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-Modified.xml.gz
 #cve.url-2.0.modified=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-modified.xml
 cve.url-1.2.base=https://nvd.nist.gov/download/nvdcve-%d.xml.gz
 #cve.url-1.2.base=http://nvd.nist.gov/download/nvdcve-%d.xml
 cve.url-2.0.base=https://nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml.gz
 #cve.url-2.0.base=http://static.nvd.nist.gov/feeds/xml/cve/nvdcve-2.0-%d.xml
 # the URL for searching Nexus for SHA-1 hashes and whether it's enabled
 analyzer.nexus.enabled=true
--- a/pom.xml
+++ b/pom.xml
@@ -20,7 +20,7 @@ Copyright (c) 2012 - Jeremy Long
    <groupId>org.owasp</groupId>
    <artifactId>dependency-check-parent</artifactId>
-    <version>1.2.6-SNAPSHOT</version>
+    <version>1.2.6</version>
    <packaging>pom</packaging>
    <modules>
--- a/src/site/markdown/related.md
+++ b/src/site/markdown/related.md
@@ -0,0 +1,20 @@
 Related FOSS Projects
 ===========
 * [The Victims Project](https://github.com/victims)
 * [Retire.js](http://bekk.github.io/retire.js/)
 Vulnerability Sources
 ===========
 The following are sources of vulnerability information. Dependency-check only uses information in the National Vulnerability
 Database (NVD). The other sources listed below contain vulnerability information that may not be included in the NVD.
 * [National Vulnerability Database](https://nvd.nist.gov/)
 * [OSVDB](http://osvdb.org/)
 Related Commercial Products
 ===========
 The below list is merely informational. It is not a complete list, nor do the authors of dependency-check endorse any
 of the products listed below.
 * [Sonatype CLM](http://www.sonatype.com/clm/overview)
 * [Black Duck](https://www.blackducksoftware.com/products/black-duck-suite/code-center)
 * [Palamida](http://www.palamida.com/products/enterpriseedition.html)